NHS trust fined record 325,000 for auctioning off online computer hard drives filled with HIV patients' detailsIndividual working for IT provider removed at least 252 of the approximate 1,000 hard drives he was supposed to destroy from Brighton General Hospital in 2010Personal data belonging to tens of thousands of patients and staff was then sold on auction website

|

UPDATED:

15:29 GMT, 1 June 2012

An NHS trust has been fined a record amount after it sold computer hard drives in an online auction without first removing confidential details about patients with HIV.

Brighton and Sussex University Hospitals NHS Trust has been served with a Civil Monetary Penalty (CMP) of 325,000 following a serious breach of the Data Protection Act.

The fine is the highest issued by the Information Commissioner’s Office since it was granted the power to issue CMPs in April 2010.

Security breach: An individual working for an IT provider removed at least 252 of the approximate 1,000 hard drives he was supposed to destroy from Brighton General Hospital (pictured) in 2010

It follows the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine patients – on hard drives sold on an Internet auction site in October and November 2010.

The data included details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports.

It also contained documents containing staff details including National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences.

The data breach occurred when an individual engaged by the Trust’s IT service provider, Sussex Health Informatics Service, was tasked to destroy approximately 1,000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010.

A data recovery company bought four hard drives from a seller on an Internet auction site in December 2010, who had purchased them from the individual.

The ICO was assured in its initial investigation following the discovery that only these four hard drives were affected.

But a university contacted the body in
April 2011 to advise that one of their students had purchased hard
drives via an Internet auction site.

'Patients of the NHS rely on the service to keep their sensitive personal details secure. The Trust failed significantly in its duty to its patients, and also to its staff'

An examination of the drives established that they contained data which belonged to the Trust.

The Trust was unable to explain how the individual removed at least 252 of the approximate 1,000 hard drives he was supposed to destroy from the hospital during his five days on site.

He is not believed to have known the key code needed to access the room where the drives were stored, and was usually supervised by staff.

However, the Trust has acknowledged that the individual would have left the building for breaks, and that the hospital is publicly accessible.

David Smith, the ICO’s Deputy Commissioner and Director of Data Protection, said: 'The amount of the CMP issued in this case reflects the gravity and scale of the data breach.

'It sets an example for all organisations – both public and private – of the importance of keeping personal information secure.

'That said, patients of the NHS in particular rely on the service to keep their sensitive personal details secure.

'In this case, the Trust failed significantly in its duty to its patients, and also to its staff.'

The ICO said the Trust has since committed to providing a secure central store for hard drives and other media, reviewing the process for vetting potential IT suppliers, obtaining the services of a fully accredited ISO IT waste disposal company, and making progress towards central network access.